Search results

There are two main industry-sanctioned enterprise risk management (ERM) models, that is, COSO 2004 and ISO 31000:2009, that firms refer to when implementing ERM programs. Taken together, the two ERM models specify that firms should implement ERM programs to meet a strategic need, improve operations and reporting or to comply with government regulations or industry best practices. In addition, the focus of ERM implementation should be either the subsidiary, business unit, division, firm/entity or global level. The purpose of this study is to investigate whether firms are aligning their ERM implementations with these tenets: strategy, operations, reporting, compliance and the level of implementation.

The proxy for ERM implementation is the hiring of a Chief Risk Officer (CRO). The research data come from a sample of 122 US firms that issued a press release following the hiring of a CRO between 2010 and 2014. The press releases were retrieved and aggregated through content analysis in LexisNexis Academic.

The results reveal that many ERM implementations are occurring at the firm/entity level, and with the exception of reporting, firms consider ERM to be a strategic firm resource capable of improving business operations and compliance initiatives.

There is a dearth of research studies specifically investigating whether ERM programs adopted by firms are aligned with the specification of COSO 2004 and ISO 31000:2009 frameworks. The apparent lack of a clear understanding of the alignment between the firm ERM programs and the industry’s ERM frameworks may limit the development and implementation of ERM and the eventual realization of the benefits associated with a successful ERM implementation.

This study aims to examine and visualize the adopted internal control structure and effectiveness in firms and present a typology of firms. Control structure and effectiveness are measured based on the assessment of management, rather than using reported material weaknesses as most studies do. This type of evaluation is more purposeful for firms that do not apply the Sarbanes-Oxley Act. Internal control frameworks provide only broad guidance concerning internal control concepts, leaving the details to the adopting firms.

The survey data (from 741 CEOs) are clustered using the self-organizing map, a visual artificial neural network approach. A three-dimensional effectiveness proxy is used.

The analysis reveals four alternative types of internal control effectiveness in firms and visually presents how the components of the internal control structure are associated with each one. A typology of internal control structure and effectiveness is then created.

The findings suggest that there are interrelated, but not straightforward, relationships between internal control variables and that there is a link between some of them and higher internal control effectiveness in practice. These findings have important implications for those responsible for improving or assessing internal control, such as management, personnel and internal and external auditors.

This paper uses a clustering approach to create a typology for alternative types of internal control structure and effectiveness, based on data from actual firms. Instead of using material weaknesses as a measure, this study uses managers’ own assessments of internal control effectiveness.

The present chapter tries to assess the state of art of enterprise risk management (ERM) among Portuguese non-financial companies regarding two main aspects: the ERM background in Portugal and the level of disclosure of ERM practices by non-financial listed companies. Since the analysis of disclosures is useful to understand the level of evolution and adoption of ERM framework we tried to assess the ERM practices disclosed by 26 Portuguese non-financial listed companies at the Euronext Lisbon Stock Exchange regulated market, during the period of 2006–2016. Main findings indicate that regulation on ERM in Portugal emanates from three main Codes (The Portuguese Companies Code, The Stock Exchange Code, and The Corporate Governance Code). The ERM professionalization in Portugal is its infancy and has been promoted mainly by the Institute of Portuguese Internal Auditors. Moreover, research on topics such as risk reporting and risk management/ERM is very scarce. Overall, findings of prior literature are consistent with results from our exploratory study. We conclude that Portuguese non-financial listed companies still disclose very little information on ERM activities. However, over the period of analysis, the disclosure practices evolved positively. Findings show that ERM disclosure can still be extensively improved in the future.

The purpose of this paper is to analyse enterprise risk management (ERM), its organizational translation and fit, investigating in particular its impact on a major control process: budgeting.

The research was carried out with a multiple case study approach including three companies in the UK. This approach was chosen to gain a deeper understanding of the nature of ERM within each of the organizations and the factors shaping its achievements.

Three main issues emerged. The first is related specifically to ERM implementations and its variety in practice. Second, ERM champions emerged as central in shaping the managerial usefulness of ERM. Third, the cases showed diversity of practice in term of integration with budgeting which range from a voluntary full integration to an voluntary separation.

The cases analysed highlighted that the integration between risk and other control processes is a challenge but also a strategic choice. Although conceding that ERM implementation is not linear, companies should reflect upon the type of relations they would like to have between different processes of control.

The results of the paper explored ERM organizational fit, evidencing variety in practice and theoretically discussing how this diversity is linked to organizational and technical issues.

Since the mid-1990s, enterprise risk management (ERM) has proliferated in both the private and public sector as a holistic, enterprise-wide approach to risk management. In this chapter, we begin by exploring the economic, regulatory and professional context of ERM practices in Norway. To gain an understanding of the current state of ERM practices among Norwegian entities, we have conducted a survey among members of the Institute of Internal Auditors (IIA) Norway. Based on the survey data, we go on to analyse the perceived maturity of risk management practices of the surveyed organizations, as well as their integration of risk management with governance mechanisms and accounting practices. Four main findings emerged from the survey. We firstly observed that a majority of the respondents perceived that they had implemented ERM. Secondly, the average maturity of risk management practice is at a medium level, with ambitions to improve it further in the future. We further observed that a majority of the organizations have established risk management governance structures regarding the roles of risk management. However, there is still work to be done in relation to risk management functions in order for them to gain more attention and influence in the organizations. Finally, we find that risk management is more integrated with reporting processes than with strategic and performance planning processes, suggesting a more reactive than proactive approach to managing risks.

Drawing upon new institutional theory and blame avoidance theory, this paper aims to examine how stakeholder pressure has an impact on the implementation and use of risk management practices in public administrations. Furthermore, this paper investigates whether top management support mediates this proposed relationship.

This paper is based on a survey among public financial managers of German municipalities and federal agencies. Data from 136 questionnaires were used to evaluate the model.

The results indicate that top management support fully mediates the relationship between stakeholder pressure and risk management practices. This finding suggests that top management support is crucial for the successful implementation of accounting techniques, such as risk management, in public administrations.

This study is based on subjective answers by public financial managers. Moreover, this study is based solely on German data. Hence, future research could use a mixed-method approach and data from other countries.

This paper examines whether stakeholder pressure exerts an impact on the sophistication of public risk management practices.

This study challenges the conventional theoretical approach of the ‘Three Lines of Defence’ Model adopted by most of the Maltese credit institutions. The authors propose a paradigm shifting conceptualised framework that would alter the corporate governance structures of banks. The objective is to test the feasibility and willingness of credit institutions to adopt such an approach.

This study challenges the current practices of the internal auditing profession and organisations and invites them to evaluate their structures whilst recognising the benefits of adopting a combined assurance function.

In order to test this hypothesis, the authors sought out semi-structured interviews with controllers (Internal Auditors, Risk Managers and Compliance Officers) within Maltese Credit Institutions, varying in size from significant, medium-sized and small institutions; personal from the Malta Financial Services Authority – The regulator, the Big four audit firms and members of the Malta Forum of Internal Auditors, and practitioners working both within and outside the financial industry.

There were two contrasting opinions regarding the suggested proposition. On the one hand, those operating within the credit institutions, as well as the regulator and the external auditors, do not believe that the proposition of integrating risk, compliance and internal audit functions (IAF) in one team would be possible; the reason being that independence, which is the cornerstone of every IAF, would be severely impacted. On the other hand, there were those practitioners working outside the banking industry but with sufficient experience and knowledge in the field, who challenged the traditional concept of independence. They argue that the functions should not be separate from each other because they have much in common.

Four themes emerged from the study: (1) challenges as a concept, (2) benefits, (3) risks and (4) condition for successful implementation. All interviewees, from risk departments, boards, external auditors and regulators agree that a strong, knowledgeable and independent IAF is fundamental to every organisation but more so within the financial industry. Nevertheless, this study revealed two schools of thought that emerged from the findings in relation to the IAF and its regulation, and specifically, when the authors presented the proposition of an integrated function.

This study aims to bring together theoretical concepts from the organizational justice, internal control and fraud literature to develop two distinct models relating to employee fraud and the quality of internal control procedures (ICP), respectively.

Survey data from 64 Australian firms were used to develop the two models. The first model was tested using a logistic regression analysis, and the second model was tested using a multiple regression analysis.

The first model reveals that the quality of ICP has a moderating effect on the relationship between perceptions of organizational justice and employee fraud. The second model indicates that ICP quality is significantly and positively related to three key organizational factors: the corporate ethical environment, the extent of risk management training of staff, and the internal audit (IA) activity level.

Risk management strategies relating to employee fraud will need to pay greater attention to organizational factors that affect both perceptions of justice at the workplace and ICP quality, including fostering a more ethical and equitable work environment, increasing IA activities and staff training in risk management.

Using the fraud triangle framework, this study extends previous literature by providing empirical evidence on the role of organizational justice and ICP regarding employee fraud.